CVE-2026-47138— Parse Platform Parse Server 资源管理错误漏洞

Parse Server: Pre-authentication denial of service via client version header regex backtracking

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1.

N/A

CWE-1333

Parse Platform Parse Server 资源管理错误漏洞

Parse Platform Parse Server是Parse Platform组织开源的一个开源后端,可以部署到任何可以运行 Node.js 的基础设施。 Parse Platform Parse Server 8.6.77之前版本和9.9.1-alpha.1之前版本存在资源管理错误漏洞，该漏洞源于请求标头解析器中存在多项式回溯问题，可能导致未经身份验证的攻击者通过发送包含恶意客户端SDK版本字段的HTTP请求，消耗Node.js工作进程大量同步CPU资源。

N/A

N/A